Kerberos Authentication in seafdav, minimal patch provided.
neffs opened this issue · comments
We use Seafile WebDAV with Kerberos (using FreeIPA). This currently needs a small patch which could be made optional and integrated in Seafile. I attached it below.
The key HTTP_REMOTE_USER should also be configurable. Obviously this only works if all users are stored in LDAP anyway.
It works nicely with native WebDAV support in LibreOffice, eliminating the need to store passwords in Libreoffice (and typing the master password).
--- seafile-server-4.0.6_orig/seahub/thirdpart/wsgidav/http_authenticator.py 2015-02-04 08:08:22.000000000 +0100
+++ seafile-server-4.0.6/seahub/thirdpart/wsgidav/http_authenticator.py 2015-02-09 14:49:05.275859317 +0100
@@ -167,6 +167,11 @@
_logger.debug("realm '%s'" % realmname)
# _logger.debug("%s" % environ)
+ if "HTTP_REMOTE_USER" in environ: # and (not self._acceptdigest and not self._acceptbasic):
+ _logger.debug("HTTP_REMOTE_USER: %s" % environ["HTTP_REMOTE_USER"])
+ environ["http_authenticator.realm"] = realmname
+ environ["http_authenticator.username"] = environ["HTTP_REMOTE_USER"].lower()
+ return self._application(environ, start_response)
force_allow = False
if HOTFIX_WIN_AcceptAnonymousOptions and environ["REQUEST_METHOD"] == "OPTIONS":
Can you provide the corresponding webserver configuration? I'd like to try kerberos for webdav as well.
<Location /seafdav>
AuthType GSSAPI
AuthName "WebDAV Login"
GssapiBasicAuth On
GssapiCredStore keytab:/etc/apache2/http.keytab
require valid-user
RequestHeader set REMOTE-USER %{REMOTE_USER}s
</Location>